Hi Jason, a good programm to check for rootkits can be found here:
http://www.chkrootkit.org/ - Achim Am Son, 2003-06-29 um 15.47 schrieb Jason Lim: > Hi Russell, > > Well, SE Linux certainly seems like something that needs to be installed. > Most annoying is that all the recent security updates were already done! > > The user CGIs run as the user's UID... suexec. > > > Re-installing from scratch would be a real pain... the server runs on a > 3ware array, and has hundreds of users, all active :-/ > > Is there any way to verify the Integrity of the files somehow, and > download/re-install any binaries that do not match the checksums or > something? Does dpkg or some other Debian tool have this ability? > > If just a list of packages could be shown that do not match what is > actually on the disk, those could be re-downloaded and re-installed, so at > least the system can start working (right now, just typing "gcc" produces > garbage on the screen, no doubt because some libraries have been > replaced). > > Is there any tool that could search the system for root suid scripts (so > the hacker can login again and gain root easily)? > > > Hope you can shed some light on the above, so at least the system can get > back up and running, then we can even setup a new server (with SE Linux > and various others) and migrate the accounts over. > > Thanks in advance!!! > > Sincerely, > Jason > > ----- Original Message ----- > From: "Russell Coker" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]>; <debian-isp@lists.debian.org> > Sent: 29 June, 2003 4:02 PM > Subject: Re: Server hacked - next...? > > > > On Sun, 29 Jun 2003 17:12, Jason Lim wrote: > > > The box is a very recently updated "stable" box... virtually every > other > > > date apt-get is update/upgrade. > > > > > > The box is setup very secure... the usual things were done... like > > > ensuring no unused services are running and things like that. > > > > > > So does that mean "stable" is actually vulnerable to something we all > > > don't know about??? > > > > That could be the case. > > > > Or it could be some issue of your configuration. Maybe you have Apache > set to > > run customer cgi-bin scripts under the same UID and a customer uploaded > an > > insecure or hostile cgi-bin script. > > > > Have you considered using SE Linux? > > > > -- > > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux > packages > > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > > http://www.coker.com.au/~russell/ My home page > > > > >
